Skip to main content

Recent updates to Prometei botnet reveal enhanced modules and expanded capabilities

The Prometei botnet has been an ongoing threat since Cisco Talos first reported on it in 2020. As of November 2022, the botnet has improved its infrastructure components and capabilities, including certain submodules of the execution chain that automate processes and challenge forensic analysis methods. Based on data obtained by sinkholing the DGA domains over a one-week period in February 2023, the Prometei v3 botnet is estimated to be of medium size, with more than 10,000 infected systems worldwide. The actors have been actively spreading improved Linux versions of the bot, continuously improving the current version.

Recent observations have revealed previously undocumented functionality, such as an alternative C2 domain generating algorithm, a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell deployed onto victim hosts, improving the overall technical capabilities of the botnet. Additionally, the bot's targeting may have been influenced by the war in Ukraine, as the only excluded country in the Tor configuration is Russia, as opposed to earlier variants, which also avoided exit nodes in other CIS countries.

Prometei primarily deploys the Monero cryptocurrency miner and has worm-like capabilities, posing a persistent threat to organizations. Talos has observed the botnet's financial motivation through cryptocurrency mining and credential theft activity, with infections likely opportunistic, targeting vulnerable entities in all regions and industry verticals.

Based on data acquired through sinkholing the DGA domains, the geographical distribution of infected systems is proportional to the population of the countries, with traffic captured from 155 countries. The most populous countries have the largest number of infected systems, with exceptions in Brazil, Indonesia, and Turkey displaying a higher proportion of infections compared to those countries' populations. Russia stands out as having a disproportionately smaller number of infections, accounting for 0.31 percent of all infected systems, supporting the assessment that the bot's targeting is influenced by the Russia-Ukraine conflict based on its Tor configuration.

The Prometei threat remains ongoing and is expected to evolve for the foreseeable future. The botnet's common C2 infrastructure continues to show a steady stream of activity, with the operators consistently rotating its malware and cryptomining hosts. The regular updating and expansion of Prometei's modules demonstrate commitment and technical knowledge that will enable them to continue proliferating the botnet to new victims and adapting to new defenses and protections. The addition of backdoor capabilities and a bundled web shell could indicate the operators' efforts to add persistence measures to keep Prometei active on targeted machines or a gradual shift or expansion to other types of payloads and activity.


Popular posts from this blog

WannaRen, died in past reborn in present now targeting India

Credit: Trend-micro Originally WannaRen discovered in 2020 when it is used against Chinese internet users. it is used for a very short time-span but damaged a lot in that short time than ransomware author shared the decryption keys to a security company in August 2020 and we believe that it was the end of WannaRen ransomware. October 2022 Trend Micro team discovered "Life ransomware" which they believe may be a new variant of WannaRen. New Variant targeted Indian organizations .

IT Software Firm Kaseya Hit By Supply Chain Ransomware Attack

  Software maker Kaseya Limited is urging users of its VSA endpoint management and network monitoring tool to immediately shut down VSA servers to prevent them from being compromised in a widespread ransomware attack. According to Kaseya, the attack began around 2PM ET on Friday. The company said that while the incident only appears to impact on-premises customers, SaaS servers have also been shut down as a precautionary measure.

Georgia county voter information leaked by ransomware gang

The DoppelPaymer ransomware gang has released unencrypted data stolen from Hall County, Georgia, during a cyberattack earlier this month.